Security/Bug Approval Process: Difference between revisions

Security/Bug Approval Process (view source)

271 bytes added , 23 October 2012

m

no edit summary

Bureaucrats, canmove, Confirmed users

642

edits

@@ Line 1: / Line 1: @@
+For security bugs with no sec- severity rating assume the worst and follow the rules for sec-critical. If you have experience fixing security bugs you could also take a crack at rating it yourself following the [[Security_Severity_Ratings]]
 ===sec-low, sec-moderate, sec-other or sec-want===
 Core-security bug fixes should just be landed by a developer without any
@@ Line 10: / Line 12: @@
 If it meets the above criteria, check that patch in.
-===sec-high or sec-critical===
+===sec-high or sec-critical (or no rating)===
 Otherwise, if the bug has a patch *and* is sec-high or sec-critical, the developer should set the sec-approval flag to '?' on the patch when it is ready to be checked into mozilla-central (or elsewhere if it is branch only).
 If you have a patch and the bug is a hidden core-security bug with no rating then either:
 #request sec-approval (to be safe) and wait for a rating, <br>or
-# rate it and then proceed according to whether the bug is low/moderate or high/critical as above.
+# rate it following the and then proceed according to whether the bug is low/moderate or high/critical as above.
   If developers are unsure about a bug and it has a patch ready, just mark